assign them appropiate right at the system level (System user) then create the folders they need and assign additional rights to the folders (accepting to break the security chain) for whatever they need to do (Like Report manager rights)